On 4 Feb 2011, at 09:38, Akbar Hossain wrote:
> Yes. I have been playing with dns (bind) doing pretty much this.
>
> Going back to a blog by Dan and an idea around a dyndns service and the http://fingerprint.example.com idea that the other Dan mentions.(The protocol http is not relevant in this dns zone lookup.)
You need to help me out with the Dan's here. I am lost :-) Are you thinking of Dan Brickley and Dan Kaminsky?
>
> Essentially you should be able to register with a dns service. Publish your public key and ip and sign it. What the server does is perhaps sign that entry too but not sure its necessary.(A set of such servers could create a network etc closed or otherwise.)
Yes, that is essentially what the DNSSEC server does. It signs the entries in DNS. It's a hierarchy that goes all the way up to the US, which can be problematic, but is not really that problematic in the end. If one wanted to trust a DNSSEC server without going all the way through the top hierarchy, then one would just have to add that DNS server to one's list of trusted roots. That is what has been happening up till last year, before the root was signed. The danger is that one might end up with a naming clash in that case.
DNS is hierarchical now, and so DNSSEC does not make that any worse. In any case the same idea can work with any secure DNS solution. It's just that my guess is that DNSSEC is going to get a big push now.
Dan Kaminsky in his blog points out an interesting issue of Zooko Triangle
which is that it is impossible to have all three of the following properties in a naming system
â€¢ Secure: Only the actual owner of the name is found.
â€¢ Decentralized: There is no â€œsingle point of failureâ€